Bug 128462 - CAN-2004-0721 Konqueror frame injection spoofing
Summary: CAN-2004-0721 Konqueror frame injection spoofing
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kdelibs   
(Show other bugs)
Version: 3.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-07-23 08:12 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-04 15:28:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
post-3.0.5b-kdebase-htmlframes.patch (7.22 KB, patch)
2004-08-09 20:41 UTC, Josh Bressers
no flags Details | Diff
post-3.0.5b-kdelibs-htmlframes.patch (14.50 KB, patch)
2004-08-09 20:42 UTC, Josh Bressers
no flags Details | Diff
post-3.1.5-kdebase-htmlframes.patch (6.57 KB, patch)
2004-08-09 20:43 UTC, Josh Bressers
no flags Details | Diff
post-3.1.5-kdelibs-htmlframes.patch (14.61 KB, patch)
2004-08-09 20:43 UTC, Josh Bressers
no flags Details | Diff
post-3.2.3-kdebase-htmlframes.patch (6.57 KB, patch)
2004-08-09 20:44 UTC, Josh Bressers
no flags Details | Diff
post-3.2.3-kdelibs-htmlframes.patch (15.29 KB, patch)
2004-08-09 20:44 UTC, Josh Bressers
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:412 normal SHIPPED_LIVE Moderate: kdelibs, kdebase security update 2004-10-05 04:00:00 UTC

Description Mark J. Cox 2004-07-23 08:12:01 UTC
Konqueror does not properly prevent a frame in one domain from
injecting content into a frame that belongs to another domain, which
facilitates web site spoofing and other attacks, aka the frame
injection vulnerability.

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

        CAN-2004-0721 Affects: 3AS 3ES 3WS 3Desktop
        CAN-2004-0721 Maybe Affects: 2.1AS 2.1AW 2.1ES 2.1WS

As found Jul01

Comment 1 Ngo Than 2004-08-02 13:45:03 UTC
it's kdelibs. i assign it to correct component

Comment 2 Josh Bressers 2004-08-04 12:47:15 UTC
This issue does affect RHEL2.1.

Comment 3 Josh Bressers 2004-08-09 20:41:58 UTC
Created attachment 102541 [details]
post-3.0.5b-kdebase-htmlframes.patch

These are the lastest round of patches that fix some issues upstream discovered
with the old patches.

Comment 4 Josh Bressers 2004-08-09 20:42:25 UTC
Created attachment 102542 [details]
post-3.0.5b-kdelibs-htmlframes.patch

Comment 5 Josh Bressers 2004-08-09 20:43:01 UTC
Created attachment 102543 [details]
post-3.1.5-kdebase-htmlframes.patch

Comment 6 Josh Bressers 2004-08-09 20:43:40 UTC
Created attachment 102544 [details]
post-3.1.5-kdelibs-htmlframes.patch

Comment 7 Josh Bressers 2004-08-09 20:44:27 UTC
Created attachment 102545 [details]
post-3.2.3-kdebase-htmlframes.patch

Comment 8 Josh Bressers 2004-08-09 20:44:55 UTC
Created attachment 102546 [details]
post-3.2.3-kdelibs-htmlframes.patch

Comment 9 Ngo Than 2004-08-13 16:28:35 UTC
kdelibs/kdebase are already built for RHEL3/2.1AS

Comment 10 Josh Bressers 2004-10-04 15:28:46 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-412.html


Comment 11 John Newbigin 2004-10-05 00:26:08 UTC
Should there be an ERRATA for RHEL2.1AS?  For all other EL versions
there is kdebase & kdelibs.  2.1AS only has kdelibs.

Comment 12 Josh Bressers 2004-10-05 13:39:04 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-412.html


Comment 13 Josh Bressers 2004-10-05 13:45:49 UTC
The missing files should be available now.  Thanks for catching that.


Note You need to log in before you can comment on or make changes to this bug.